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The quantum key distribution protocol without public announcement of bases is equipped with a 
two-way classical communication symmetric entanglement purification protocol. This modified key 
distribution protocol is unconditionally secure and has a higher tolerable error rate of 20%, which 
is higher than previous scheme without public announcement of bases. 
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I. INTRODUCTION 

Quantum key distribution (QKD) is one of the most 
important and exciting fields in quantum information. 
Its basic idea is to make use of principles in quantum 
mechanics to detect whether there exists an eavesdrop- 
per Eve, when two parties, Alice and Bob use quantum 
channel to perform key distribution. In this way, the se- 
curity is much higher than that with only classical com- 
munications. The earliest QKD protocol was proposed 
by Bennett and Brassard in 1984 (BB84)^i|. It is a kind 
of prepare-and-measure QKD protocol, a protocol that 
Alice first prepares a sequence of single photons, and she 
sends them to Bob who measures each single photon im- 
mediately after receiving it. Such kind of protocols are 
much more practical because they do not require quan- 
tum computation and quantum memory. 

The security of QKD protocols is a basic problem in 
quantum information. BB84 protocol has been proved to 
be secure when the channels are noiseless. However, it 
is until recently that its unconditional security has been 
proved. Mayers 2j and Biham*^ presented their proofs, 
but the proofs are rather complex. In Mayers' proof, 
BB84 protocol is secure when the error rate of the chan- 
nel is less than about 7%. Shor and Preskillj^l gave a 
much simpler proof which guarantees the unconditional 
security of BB84 protocol if the error rate is less than 
about 11%. And then, Gottesman and Lo0 brought 
two-way classical communications to BB84 protocol, and 
obtained a much higher tolerable error rate, 18.9%, which 
makes sure that the BB84 protocol with two-way classical 
communications is unconditional secure. Recently, Chau 
has presented a secure QKD scheme making use of an 
adaptive privacy amplification procedure with two-way 
classical communications whenever the bit error rate is 
less than 20.0%|3. 

It is known that the standard BB84 protocol will use 
only half of the transmitted qubits for key distribution. 
In order to enhance the efficiency of the standard BB84 
protocol, many variations have been proposed. BB84 
without public announcement of basis (PAB) is just such 
a protocol I?!. In the eavesdropping detection process 



of standard BB84, Alice announces her basis string in 
which the qubit string is prepared, only after Bob has 
finished receiving and measuring the qubit string. This 
announcement step is called public announcement of ba- 
sis(PAB). PAB guarantees Alice and Bob to select the 
same measurement basis without eavesdropping. How- 
ever it also leads to waste of average one half of the 
qubits. In BB84 without PAB, the communication par- 
ties do not need PAB; instead, they agree on a secret 
random measurement basis sequence before any steps of 
standard BB84. Alice encodes qubits according to the 
prior basis sequence, and Bob uses the same basis se- 
quence to measure the qubits when he receives them. In 
this way, none of the measurement results will be dropped 
as a result of Alice and Bob choosing different measuring- 
basis. BB84 without PAB, therefore, is still a prepare- 
and-measure QKD. In the information processing of this 
protocol. Eve knows little about the secret prior basis se- 
quence yet, so all attacking strategies that she can use are 
still the same as those in standard BB84. As a result, the 
security of BB84 without PAB in noiseless channels can 
be derived easily from the proof of the noiseless security 
of standard BB84. 

In this paper, we concentrate on the security of BB84 
without PAB and its tolerable error rate. The proto- 
col has been proved to be secure through noisy channels 
following Shor and Preskill's method 8] which obtains a 
tolerable error rate of 11%, the same as that of standard 
BB84 4]. Recently, two-way classical communications are 
introduced in security proof and it increases the tolera- 
ble error rate of standard BB84 to 18.9%@ and 2O%0 
respectively. Inspired by this new idea, we prove the se- 
curity of BB84 without PAB with two-way classical com- 
munications. We first describe the notations in this paper 
in sectiorlTll In section iHll we present a QKD protocol 
without PAB and with a two-way entanglement purifi- 
cation protocol(2-EPP), and prove its security. Then we 
use a theorem in section HVl to reduce the protocol into a 
prepare-and-measure protocol, that is, the BB84 without 
PAB and with two-way classical communications, and 
gives a detailed example in section to obtain its mini- 
mal tolerable error rate of 20%. We give a brief summary 
in section IVTI 
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II. NOTATIONS 

The notations in this paper are mostly the same as 
those in Gottesman and Lo's paperQ. A Pauh operator 
acting on n qubits is a n-dimension tensor product of 
individual qubit operators that are of the following forms: 

I {the identity), X ^ ^ ^ ) ' 

Note that X, Y and Z operators are anti-commutative 
with each other, and all the Pauli operators have only 
eigenvalues +1 and -1. 

Bell bases are the four maximally entangled states 

= i=(|01) ± 110)),$^ = -i=(|00) ± 111)). (2) 

A symmetric EPP can be described with a set of opera- 
tors {M^} plus unitary decoding operations C/^(8)(P^C/^), 
where is a Pauli operator. Each is a particular 
measurement step of the protocol with the index /i which 
denotes a measurement history sequence in which each 
bit is or 1 based on the outcome of the corresponding 
measurement step. According to the history sequence /x, 
Alice and Bob should both choose the same operator 
to do measurement and this is why the EPP is called 
symmetric. C/^ (P^C/^) is error correcting operations 
depending on fi after they obtain all error syndromes. 
Alice performs [/^ while Bob performs P^C/^ operation. 

In various symmetric EPPs, there exist a set of the 
EPPs in which all measurements are of eigenspaces of 
Pauli operators, and the decoding operator [/^ is a Clif- 
ford group operator, and the error-correcting operator 
P^ is a Pauli operator. This set of symmetric EPPs are 
called stabilizer EPPs. And if all measurements of a 
stabilizer EPP are either X-typc (including only I and X 
operators) or Z- type (including only I and Z operators), 
and involves only CNOTs, this stabilizer EPP is called 
a Calderhank-Shor-Steane-like SPP(CSS-like EPP). The 
CSS-like property comes from the idea of CSS code which 
decouples the error-correction of X and Z and guarantees 
the reduction in Shor and PreskiU's proof of BB84 . Be- 
low, all the EPPs are CSS-like unless noted explicitly. In 
CSS-code CSS(Ci,C2) is constructed from two classical 
linear codes Ci and C2 that encodes ki bit and ^2 bits of 
codewords into n-bits codewords, and C2 C Ci and Ci 
and C2 both correct t errors. 

In EPP with one-way classical communications (1- 
EPP), Alice does not know the measurement results of 
Bob and can not obtain the history sequence /i. There- 
fore, all the measurements and operations in 1-EPP are 
independent to /i. However in EPP with two-way classi- 
cal communications(2-EPP), Bob can also tell Alice his 
measurement results through classical channels, so the 
communication parties can make use of history sequence 
/i and choose proper measurement operator according to 



the current history, and the final decoding and error- 
correcting operations also vary with the measurement re- 
sults. In this way, 2-EPP are supposed to tolerate higher 
error rate than 1-EPP, and we will show that introduc- 
ing two-way classical communications indeed increases 
the tolerable error rate for BB84 without PAB. 



III. THE QKD WITH 2-EPP WITHOUT PAB 

In this section, we present a QKD protocol with 2- 
EPP without PAB, and prove its security through noisy 
channels. 

Protocol 1: QKD with 2-EPP without PAB 

1. Alice and Bob share a secret random {2n/r) bit 
string, and repeat it r times to form a basis se- 
quence b. 

2. Ahce prepares 2n EPR pairs in the state ($+)®2n^ 
and applies a Hadamard transformation to the sec- 
ond qubit of each EPR pair where the correspond- 
ing bit of the basis sequence 6 is 1. 

3. Alice sends the second half of each EPR pairs to 
Bob. 

4. Bob receives the qubits, and publicly announces the 
reception. 

5. Alice randomly chooses n pairs of the 2n EPR pairs 
as check bits to check the interference of Eve. 

6. Alice broadcasts the positions of the check EPR 
pairs. 

7. Bob applies a Hadamard transformation to the 
qubits where the corresponding bit of the basis se- 
quence & is 1. 

8. Alice and Bob both measure their own halves of 
the n check EPR pairs on the Z basis, and pub- 
licly compare the results. If there are too many 
disagreements, they abort the protocol. 

9. Alice and Bob apply 2-EPP to the remaining n 
EPR pairs, and then share a state with high fidelity 
to ($+)". 

10. Alice and Bob measure the state in the Z basis to 
obtain a shared secret key. 

In protocol 1, the idea of QKD without PAB is ap- 
plied in step 1, 2 and 7. Alice and Bob share a basis 
sequence b at the beginning. They can first distribute 
a smaller random sequence with bit length 2n/r by an- 
other QKD protocol or other methods, then repeat it r 
times. Although the basis sequence 6 is a repeat of a 
random string, if r is small and n is large enough, the 
information of the base sequence of Eve is still exponen- 
tially small for n, and the effect of r is only to increase 



3 



the information of the base sequence of Eve by multiply- 
ing polynomial of r. Therefore, we can affirm that Eve 
knows very little about the basis sequence. 

Knowing that Eve knows very little about b, we can 
follow the method of Gottcsman and Lo §\ to derive the 
unconditional security of protocol 1. First, protocol 1 
is based on stabilizer EPP, hence the quantum channel 
is equivalent to a Pauli channel. Furthermore, because 
all operators in protocol 1 commute to each other, we 
can apply classical probability analysis. Calculating the 
probability of the success of error-correcting, because Eve 
knows little about the basis sequence, we find that the 
fidelity of the state shared by Alice and Bob after EPP to 
($+)®'" is 1 — 2"'' for a large factor s|3|. By lemma 1 and 
lemma 2 in Eve's mutual information with the final 
key is less than 2~'^ + 2*^^"^*) where c = s — log2(2r7i -|- 
s + 1/ In 2) . As a result. Eve's information about the final 
key is exponentially small and the unconditional security 
of protocol 1 is proved. 

IV. BB84 WITH TWO-WAY CLASSICAL 
COMMUNICATIONS WITHOUT PAB 

Protocol 1 is based on EPP which requires quantum 
computers to process. In this section, we will reduce pro- 
tocol 1 to a prepare-and-measure protocol, that is, BB84 
with two-way classical communications without PAB(2- 
BB84 without PAB). The equivalent reduction of proto- 
col 1 is based on the main theorem of Gottesman and 
Loj^. We revise it in a more simple way and apply it to 
protocol 1 as the following. 

Theorem 1 (Revised Main Theorem in fs*]) 

Suppose a 2-EPP is CSS-like and also satisfies the 
following conditions: 

1. If Mfj^ is X-type operators for a specific step with fj,, 
for the following step with fj,' ( fJ.' = fJ.0 or /il ), the 
choose of Mf^i is independent of the measurement 
result of M^, that is Af^o — M^i. 

2. The final decoding operations t/^ can depend ar- 
bitrarily on the outcome of the measured Z-type 
operators, but cannot depend on the outcomes of 
measured X-type operators at all. The correction 
operation can depend on the outcome of X-type 
operators, but only by factors of Z. 

Then protocol 1 can be converted to a prepare-and- 
measure QKD without PAB scheme with the same se- 
curity. 

The first condition in theorem 1 is equivalent to the 
tree diagram representation of the first condition of the 
main theorem in 0. If Ahce and Bob drop the phase- 
error, they do not know the exact result of the phase- 
error. In order to continue the 2-EPP, they must choose 
the unique measurement operator in the next step despite 
of the AT-type measurement outcome. The existence of 



the two condition guarantees this statement. And a CSS- 
like EPP makes that the corrections of bit-flip errors and 
phase-flip errors are separated. So Alice and Bob can 
perform only bit-flip error correction and do not require 
quantum computers to correct phase-flip errors. 

In detail, the first step is to throw away A-basis op- 
erations and measurements. The introduction of QKD 
without PAB in protocol 1 affects only in step 1 to 7, 
before the error correction and privacy amplification. It 
only modifies the choice of base sequence, and when the 
EPP is proceeded, all particles are in the Z-basis. There- 
fore, the transformation of 2-EPP quantum circuit inQ 
can be directly applied. After the transformation, Alice 
and Bob can obtain a classical circuit with measurements 
only in Z-basis. 

The second step is to transform the protocol into a 
prepare-and-measure QKD. Following the same idea in 
U, because all operations in protocol 1 commute with 
each other, it is not necessary for Alice to prepare and 
distribute EPR pairs and then measure them. Instead, 
Alice can measure them before distribution. In other 
words, Alice can just prepare a random binary string, 
and encode it into qubits, and send them to Bob. Also, 
Bob can measure the qubits in the basis according to 
the basis sequence immediately after he receives them, 
instead of using quantum memory to store the qubits. 
Thus, we can successfully transform protocol 1 into a 
prepare-and-measure QKD without PAB. 

In the final step, in order to simplify the protocol, Alice 
and Bob can perform 2-EPP to reduce the error rate of 
the qubits until both bit-fiip and phase-flip errors are 
lower than the bound of the capacity of 1-EPP. Then 
they can perform 1-EPP to correct the remaining error 
and obtain the final secret keyQ. 

Consequently, we can conclude the content above into 
protocol 2 as the following. 

Protocol 2: Secure BB84 with two-way classical com- 
munications without PAB 

1. Alice and Bob share a secret random {2n/r) bit 
string, and repeat it r times to form a basis se- 
quence b. 

2. Alice prepares 2n random qubits, measure each 
qubit in Z-basis which the corresponding bit of b is 
or in A-basis which the corresponding bit of b is 
1. So Alice obtain an random key and encode it in 
the qubit string. 

3. Alice sends the qubit string to Bob. 

4. Bob receives these 2n qubit string, measures it in 
Z-basis or A-basis according to b, and then publicly 
acknowledges the receipt. 

5. Alice randomly chooses n qubits as check bits and 
announces their positions. 

6. Alice and Bob compare the measurement results of 
the check bits, if there are too many errors, they 
abort the protocol. 
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7. Alice and Bob use a classical circuit transformed 
from 2-EPP to do error-correction until the error 
rates of both bit and phase are lower than the 
bound of the capacity of BB84 with one-way clas- 
sical communications, for example 11% in 

8. Alice and Bob use the method in BB84 with 
one-way classical communications to perform final 
error-correction and privacy amplification to obtain 
the key. For example, they can use CSS Code to 
correct errors, and obtain the coset 1^ + 02 as the 
secret keyQ. 

According to theorem 1, protocol 2 is equivalent to 
protocol 1. Therefore protocol 2 is also miconditional 
secure through noisy channels. 



V. AN EXAMPLE OF SECURE BB84 WITH 
TWO-WAY CLASSICAL COMMUNICATIONS 
AND WITHOUT PAB 

In section Hill we give the secure BB84 with two-way 
classical communications without PAB, that is protocol 
2. However, protocol 2 is still a theoretic scheme, and 
needs further study to exploit its capacity. In this section, 
a particular 2-EPP from Q is presented and transformed 
to the classical circuit. We use this classical circuit in step 
7 of protocol 2 so that we can estimate the lower bound 
of the tolerable error rate of protocol 2. 

Although the theorem 1 guarantees the security of pro- 
tocol 2, it is still necessary to find a practical 2-EPP that 
fulfills the theorem's conditions. Such a 2-EPP is pre- 
sented in induced from the classical error-correction 
theory. This 2-EPP contains alternating rounds of two 
major steps, that is, bit-flip error-correction step("B 
step") and phase-flip error-correction("P step") step: 

B step's']: Alice and Bob randomly permute all the 
EPR pairs. Then they each measure their own local Zi^Z 
in order to obtain the bit-flip error of the remaining out- 
put pair. If the results of Alice and Bob are different, they 
estimate that there is a bit flip on the remaining output 
pair, and discard it. This step is similar to advantage 
distillation in classical communications by Maurer[Toj. 

P step 5] : Alice and Bob randomly permute all the 
EPR pairs. Then they group them into sets of three, 
both measure ^1X2 and X1X3 on each set. This step 
can be transformed into a circuit that first perform a 
Hadamard transformation on each qubit, two bilateral 
XORs, measurement of the last two EPR pairs, and a 
final Hadamard transform. If Alice and Bob disagree on 
one measurement. Bob estimates that the phase error was 
probably on the first two EPR pairs and does nothing; if 
both measurements disagree. Bob assumes the phase er- 
ror was on the third EPR pair and corrects it by perform- 
ing a Z gate. This step is induced from 3-qubit phase-flip 
error correcting code, and will reduce the phase-flip error 
rate if the error rate is low enough. 



The completed 2-EPP consists of alternating rounds of 
the two steps above. In each round, Alice and Bob first 
perform a B step to calculate bit-flip error syndromes. 
This is a Z-type measurement step. Then Alice and Bob 
perform a P step to calculate phase-flip error syndromes, 
which is a A"-type measurement step. And P step does 
not affect later operations. So the 2-EPP satisfles the 
conditions of theorem 1. After P step, they estimate 
the error rate of the qubits by sacrificing some of them 
to measure. If the error rate is lower than the bound 
of BB84 with one-way classical communication, that is, 
about 11%, they use Shor and Preskill's method to obtain 
final key 01, otherwise, they go on with another round of 
B and P steps. 

By transforming the circuit of the 2-EPP according 
to theorem 1, we can get a more detailed protocol than 
protocol 2 as the following. 

Protocol 3: secure BB84 example with two-way classi- 
cal communications without PAB 

1. Alice and Bob share a secret random (2n/r) bit 
string, and repeat it r times to form a basis se- 
quence b. 

2. Alice prepares 2n random qubits, measure each 
qubit in Z-basis in which the corresponding bit of b 
is or in X-basis in which the corresponding bit of 
6 is 1. So Alice obtains an random key and encodes 
it in the qubit string. 

3. Alice sends the qubit string to Bob. 

4. Bob receives these 2n qubit string, measures it in 
Z-basis or AT-basis according to 6, and then publicly 
acknowledges the receipt. 

5. Alice randomly chooses n qubits as check bits and 
announces their positions. 

6. Alice and Bob compare the measurement results of 
the check bits. If there are too many errors, they 
abort the protocol. 

7. (B step)Alice and Bob randomly pair up their own 
bits. Alice publicly announces the parity(XOR) of 
the values of each pair of her own, that is, X2i-i © 
X2i, and Bob also publicly announces the parity of 
his corresponding pair, that is, y2i-i © 2/2i- If the 
parities agree, they keep one of the bits of the pair. 
Otherwise, they discard the whole pair. 

8. (P step)Alice and Bob randomly group the remain- 
ing bits in to sets of three, and compute the parity 
of each set. They now regard those parities as their 
effective new bits in later steps. 

9. Alice and Bob sacrifice sufficient m of the new bit 
pairs to perform the refined data analysis publicly. 
They abort if the error rate is too large. And if the 
error rate is low enough, they go to the next step, 
otherwise, they return to step 7. 
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10. Alice and Bob randomly permute their pairs, and 
use Shor and Preskill method 4] with one-way 
classical communications to perform final error- 
correction and privacy amplification. In detail, it 
contains the following sub-steps: 

1) Alice and Bob select a proper CSS(Ci,C2) 
Code Q. 

2) Alice randomly choose a codeword u from clas- 
sical linear code Ci, and announces u + 
where w is a remaining code bits. 

3) Bob subtracts u + v from his code bits, u -t- e, 
and obtains u 4- e, and then corrects it to a 
codeword w in Ci. 

4) Because code C2 in CSS Code Q is a subgroup 
of Fp which is the binary vector space on n 
bits[ll|, and u — w S C2, Alice and Bob use 
the coset of m -I- C2 as the final key. 

Protocol 3 consists of detailed operations of each step, 
which can be studied further, for example, the tolerable 
error rate. Reviewing the discussion in this section, the 
introduction of QKD without PAB does not affect the 
error-correction and privacy amplification of protocol 3. 
Thus, we can estimate the tolerable error rate of our pro- 
tocol without PAB directly from the same method in 
and 0. Firstly, from @, in BB84, the 2-EPP by alternat- 
ing B and P steps is successful provided that the bit error 
rate is lower than 17.9%. Hence, protocol 3 is secure with 
the same upper bound of error rate. However, Gottesman 
and Lo point out that alternating B and P steps is not 
optimal, and based on other arrangements of such two 
steps, the BB84 can achieve higher tolerable error rate 
of 18.9%|5|. Moreover, by applying adaptive privacy am- 
plification procedure with two-way classical communica- 
tions in Gottesman and Lo's method, Chau obtain that 
tolerable error rate of BB84 scheme is 20.0%,^. Such 



modifications in error correcting and privacy amplifica- 
tion procedure can also be applied to our BB84 proto- 
col with two-way classical communications and without 
PAB. In conclusion, our protocol is secure whenever the 
bit error rate is less than 20.0%, which is higher than the 
result of BB84 with only one-way classical communica- 
tions and without Pab|§|. 



VI. CONCLUSIONS AND DISCUSSIONS 

In this paper, we have proved the unconditional secu- 
rity of simple modification of standard BB84 protocol — 
BB84 without public announcement of bases, by apply- 
ing two-way classical communications. In addition, we 
present a detailed protocol, protocol 3, and follow other 
2-EPP procedures 5, 6] to calculate a lower bound of 
the tolerable error rate of the protocol. The result of 
about 20.0% demonstrates advantages of two-way clas- 
sical communications over one-way classical communica- 
tions without PAB whose tolerable error rate is about 
ll%Bl- Compared to the previous BB84 protocol sets, 
this protocol benefits from both two-way classical com- 
munications which tolerate higher error rate and the 
technique without PAB which increases key generation 
rate. As a result, it is much more efficient than previ- 
ous protocols, and can be widely used in future quantum 
communications . 
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